From aa942f4f7cc2146e6a1e5121b46fc290a5246a88 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 16 Apr 2026 17:12:24 +0000 Subject: [PATCH 1/2] chore: plan security architecture docs update Agent-Logs-Url: https://github.com/github/gh-aw/sessions/249a0e4a-598d-40a1-b6e6-8584bce9d02b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/mcp.json | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/mcp.json diff --git a/.github/mcp.json b/.github/mcp.json new file mode 100644 index 00000000000..b953af2639e --- /dev/null +++ b/.github/mcp.json @@ -0,0 +1,11 @@ +{ + "mcpServers": { + "github-agentic-workflows": { + "command": "gh", + "args": [ + "aw", + "mcp-server" + ] + } + } +} \ No newline at end of file From 4b7de7f91adf9c8cdb9203e0eddbf60362b81afb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 16 Apr 2026 17:16:22 +0000 Subject: [PATCH 2/2] docs: clarify MCP gateway API key trust boundary Agent-Logs-Url: https://github.com/github/gh-aw/sessions/249a0e4a-598d-40a1-b6e6-8584bce9d02b Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- docs/src/content/docs/introduction/architecture.mdx | 3 +++ docs/src/content/docs/reference/mcp-gateway.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/docs/src/content/docs/introduction/architecture.mdx b/docs/src/content/docs/introduction/architecture.mdx index 0eb27820eb1..7a9ffb645ac 100644 --- a/docs/src/content/docs/introduction/architecture.mdx +++ b/docs/src/content/docs/introduction/architecture.mdx @@ -266,6 +266,9 @@ flowchart LR 4. All MCP traffic remains within the host boundary: AWF restricts egress, and the gateway routes requests to sandboxed MCP servers. 5. When supported by an agent, AWF creates a trusted `api-proxy` that routes model traffic on the agent's behalf while keeping that traffic behind AWF's network controls. This proxy should not be treated as a separate caller-authentication boundary for arbitrary code already running inside the agent container. +> [!WARNING] +> The MCP gateway API key that is mounted into the agent container is not a strong security boundary against a compromised or malicious agent. An agent running arbitrary code may extract the key from process memory, runtime state, or other in-container channels. Treat this key as leaked by design and rely on substrate isolation, network policy, and staged permission separation for security. + ## MCP Server Sandboxing MCP servers execute within isolated containers, enforcing substrate-level separation between the agent and each server instance. Tool filtering at the configuration level restricts which operations each server may expose, limiting the attack surface available to a compromised agent. This isolation ensures that even if an MCP server is compromised, it cannot access the memory or state of other components. diff --git a/docs/src/content/docs/reference/mcp-gateway.md b/docs/src/content/docs/reference/mcp-gateway.md index a957beb5d5a..6d8ec34d995 100644 --- a/docs/src/content/docs/reference/mcp-gateway.md +++ b/docs/src/content/docs/reference/mcp-gateway.md @@ -1051,6 +1051,9 @@ The MCP Gateway uses a simple API key authentication scheme. When `gateway.apiKe - Implementations MAY use different formats (e.g., direct value or Bearer scheme) - The specific format is implementation-dependent +> [!WARNING] +> The gateway API key should not be treated as a secure lock against code already running inside the agent container. A sufficiently capable agent may extract it from in-memory process state or other runtime channels. Treat this key as leaked by design and rely on container isolation, network controls, and staged permission boundaries for defense in depth. + **Example formats**: ```http